ClawHub

Krea.ai API

PassAudited by ClawScan on May 1, 2026.

Overview

The skill is a coherent Krea.ai image-generation client; the main things to notice are its use of a local Krea API key and external API calls that may consume Krea account credits.

Before installing, confirm you are comfortable storing a Krea.ai API key for this skill and sending image prompts to Krea.ai. Keep the credential file permission-restricted, consider using a dedicated or revocable API key, and monitor Krea usage because generation jobs may consume credits.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

When invoked, the skill can create Krea.ai generation jobs under the user's account.

Why it was flagged

The skill sends prompts and generation parameters to Krea.ai to create image-generation jobs. This is purpose-aligned, but users should recognize it can consume API quota or paid credits.

Skill content
BASE_URL = "https://api.krea.ai" ... req = urllib.request.Request(url, data=json.dumps(payload).encode(), method="POST")
Recommendation

Use the skill only for prompts you intend to send to Krea.ai, and monitor Krea usage or billing if the API key has paid quota.

Note
ASI03: Identity and Privilege Abuse
What this means

Anyone or anything able to read the credential file could potentially use the user's Krea API access.

Why it was flagged

The skill requires a Krea.ai API credential stored in a local file or supplied via CLI. This is expected for the integration, but it grants access to the user's Krea account API.

Skill content
description: Krea.ai API key (format: KEY_ID:SECRET) ... file: ~/.openclaw/credentials/krea.json ... required: true
Recommendation

Use a dedicated Krea API key if possible, keep the file permission-restricted, avoid passing secrets on shared command lines, and revoke the key if no longer needed.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users have less external context for verifying who maintains the skill or where updates originate.

Why it was flagged

The provided metadata does not identify an upstream source or homepage. This is not suspicious by itself, but it reduces provenance clarity for a skill that asks for an API credential.

Skill content
Source: unknown; Homepage: none
Recommendation

Review the included files before installing and compare the documented API behavior with Krea.ai's official documentation.